MALICIOUS
440
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The RTF file contains an embedded OLE object specifically targeting the Equation Editor, which is known to be vulnerable to CVE-2017-11882. The heuristics indicate the presence of a PE header within the hex-encoded object data, suggesting it's a dropper designed to execute a second-stage payload. ClamAV also identifies this as Rtf.Dropper.Agent-9965975-1.
Heuristics 11
-
Equation Editor CLSID critical CVE likely RTF_EQUATION_EDITOREquation Editor OLE CLSID found inside an OLE object — exploited by CVE-2017-11882 / CVE-2018-0802 / CVE-2018-0798
-
Equation Editor activation — CVE-2017-11882 related high CVE_2017_11882_ACTIVATION_RELATEDRTF decodes to an Equation.3 ProgID and requests OLE activation with \objemb plus \objupdate. This reaches the legacy Equation Editor attack surface used by CVE-2017-11882/CVE-2018-0802 documents, but the malformed MTEF/native payload needed for stronger attribution was not recovered.
-
ClamAV: Rtf.Dropper.Agent-9965975-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Rtf.Dropper.Agent-9965975-1
-
PE header (with DOS stub) in hex data critical RTF_MZ_HEXHex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
-
\objupdate forces OLE activation high RTF_OBJUPDATERTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
-
Package object class high RTF_OBJCLASS_PACKAGEOLE Package object — can wrap arbitrary files
-
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEXRTF contains ~2042KB of hex-encoded data inside \objdata sections — may hide a payload
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
OLE object data medium RTF_OBJDATARTF contains 2 \objdata section(s) — embedded OLE objects
-
Embedded OLE object medium RTF_OBJEMBRTF contains \objemb — embedded OLE object
-
OlePres presentation stream in RTF OLE object medium RTF_OLEPRES_STREAMRTF contains an embedded OLE object with an OlePres presentation stream. OlePres is an OLE presentation marker and is not enough on its own to identify CVE-2025-21298.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
objdata_00_off000000f0.bin |
rtf-objdata-decoded | RTF \objdata at offset 0xF0 | 1021249 bytes |
SHA-256: e29e8dd59ce7e226c4ca2b4c63636155d8f4c1e477065a279d7e8acc10dd7796 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_STR_GETPROCADDRESS, SC_GETPC_CALL Static shellcode analysis recovered API/import strings: kernel32.dll, msvcrt.dll, shlwapi.dll, KERNEL32.DLL, LoadLibraryA, GetProcAddress Carved artifact entropy is 7.93, consistent with packed or encrypted content.
|
|||
objdata_01_off001f2bc1.bin |
rtf-objdata-decoded | RTF \objdata at offset 0x1F2BC1 | 3980 bytes |
SHA-256: 91a362f096724026e67b87763ab917fe68c7443e4d8b3c0586f9bf1568eadfbd |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis recovered command string(s): cmd.exe /c%tmp%\msword.exe &��D$,f-Q���%
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.